We all need to increase our "business bandwidth" - that is, the nature and volume of business data and information which passes through our consciousness. Toward that end, some of the following website offerings may be of interest to you: BusinessWeek.com Forbes.com Fortune.com
The "findwhitepapers" site will allow you to access "white papers" on subjects you select. White papers may be loosely defined as relatively short, topic-specific articles on a particular (searchable) subject, often prepared by a business which is selling goods/services mentioned in the article. Many of the referenced sites will allow you immediate access to the white paper, others may require you to register (that is, provide an email address, to which they send the article). SmartPros is a good site for current information, trends, and happenings in the accounting and business world. And CFO.com is the website for CFO Magazine, a monthly periodical offered free of charge, and containing higher-level, informative articles about accounting and finance.
Compliance Week Magazine is a high-level periodical, with website, providing detailed and current information regarding corporate governance and Sarbanes-Oxley / PCAOB / public company happenings. Articles are written by individuals with extensive involvement in the subject (one of the frequent contributors is Harvey Pitt, who was Commissioner of the SEC before current Commissioner Christopher Cox; another contributer is Richard Steinberg, former senior partner at PwC and lead project partner in developing the COSO Internal Control - Integrated Framework and COSO's Enterprise Risk Management - Integrated Framework). An annual subscription to Compliance Week is about $1000, but they will allow you to sign up for a 4 Week Trial program, at no charge (IMHO, the price is right!). FierceFinance and FierceSarbox are free sites which will email you, about weekly, articles and current events regarding their specific titles. InfoWorld will email you information regarding IT hardware and software issues.
This wiki page is intended to provide the reader with specific information regarding topics discussed during our current coursework for ACG 5405. Please add articles and websites to the headings indicated below, and add new headings as appropriate.
Topic 1. Enterprise Risk Management (ERM)
1) "The Particulars of Good ERM" from a four-part series by Mr.Richard Steinberg, former partner at PWC, and lead project partner in developing the COSO Enterprise Risk Management - Integrated Framework, the four articles appearing in the January through April 2007 editions of Compliance Week magazine.
Enterprise Risk Management is the "process to identify, assess, and manage risks that could interfere with the achieving of a company's objectives." ERM must fit within the strategic objectives of the company. As such, ERM is enterprise-wide. Senior management and the Board would be tasked with surveying the enterprise and noting high-level risks. Operational managers would be tasked to identify risk situations at the tactical business level. ERM implementation is not without costs - both in time and money. Th author uses an image of driving a car at night, utilizing parking lights, low beams, and high beams as pictures of the inportance of searching out risks that are present and should be identified early enough to not cause serious business consequences.
Mr. Steinberg uses the COSO Model of Risk to briefly discuss ERM application techniques:
1) Internal Environment - management should employ risk-based analysis in order to gain insight into the organization's culture, creating an organizational "heat map" of high risk situations.
2) Objective Setting - the author uses an illustration of a company viewing its "risk appetite" by plotting desired rates of return versus capital at risk in a graphical format.
3) Event Identification - Companies may use tree diagrams, also called "fishbone" diagrams, to identify and pictorally represent uncertainty.
4) Risk Assessment - management will assess risk from several perspectives, including a) the liklihood of the event happening, and b) the business consequences of the risk.
5) Risk Response - After identifying and assessing the risks, management will decide among alternative responses to the risks through some combination of a) acceptance, b) avoidance, c) reducing, and/or d) sharing the risks.
Topic 2.The Fraud Connection
The SEC has repeatedly commented that the potential for override of controls and managerial misrepresentation of financial statement assertions by the senior management of smaller companies is a primary reason that non-accredited filers should be held to similar auditing standards as current accredited filers.
1) http://snipr.com/1npna A study conducted by the Institute of Fraud Prevention has looked at over 800 companies who have filed restated financials, and found that an average of seven people (including CEOs, CFOs, COOs, general counsels, and internal and external auditors) were involved.
2) http://snipr.com/1npnc Another study, performed by KPMG, indicates that fraudsters, while working in collusion, were able to perpetuate their frauds over extended periods of time (months, and even years) before being discovered. So, should we even worry about a disgruntled AP clerk creating a bogus vendor/invoice payment scheme? (This site is Computer Week, discussed above. You will be asked if you wish to signup for a 4 week trial subscription, at no charge; if you agree, you will be directed to the article following your registration.)
3) "10 ways to Minimize Your Risk of Fraud," by John Tonsick, Associate Director, Protiviti Inc. This article came from the protiviti.com website, and was first presented by Mr. Tonsick at an Institute of Internal Auditors Conference on Ethics and Fraud, on Aug 4, 2004
Fraud is big business, costing US businessews more than $600 billion annually, based on estimates from the Association of Certified Fraud Examiners (ACFE). The ACFE also estimates that fradulent schemes committed by management and executives result in losses more than four times greater than losses from schemes conducted by lower level employees. Some of the ways to minimize fraud include
1) expect fraud to have been occuring in your organization
2) segregate duties
3) review and enforce security measures at all levels
4) test, and retest, internal controls
"An anonomous survey [Mr. Tonsick does not indicate a source for this statement] of public company CFOs indicated that two-thirds of them had been pressured to cook the books, and that one-third admitted doing it."
4) "5 Questions to Uncover Project Fraud," by Steven Rollins, published 12-23-04 in the Sarbanes-Oxley Compliance Journal.
The author defines "project fraud" as any fraud conducted by anyone who is part of a project team (virtually any employee of any company sooner, or later, works with other employees on a "project"). But Mr. Rollins' definition is germane in the sense that many frauds are conducted by more than a single individual. The five questions he would ask to identify "project fraud" are
1) Is the business carrying out managerial strategic risk planning ?
2) Are tactical and strategic managers managing their projects effectively?
3) Is poor visability giving a project (and its employees) an opportunity to commit fraud?
4) Is the company's workforce accountable to achieve business goals?
5) Is there a safety net (this concept is neither defined or developed by Mr. Rollins in the article) to protect business assets from project fraud?
Topic 3. SOX
PCAOB / Sarbanes Oxley
1) http://snipr.com/1npne Out with the "2" and in with the "5." The PCAOB has superceeded AS 2, replacing it with "principles-based" AS 5. The revised standard emphasizes the importance of materiality and fraud risk, and attempts to scale the audit to the smaller public companies. (This is the Computer Week site referenced above. You will be asked if you wish to signup for a free 4 week trial subscription; if you agree, you will be directed to the article following your registration.)
Topic 4. Controls and More
1) http://cfo.com/article.cfm/9358291?f=home_featured&x=1 AS2 could not do it . . .can AS5? Creating a workable, understandable, functional definition of "materiality" is not easy. The SEC recently asked "Is the standard of materiality appropriately defined in AS 5?" No, said the influential Committee on Capital Markets Regulation.
2) http://snipr.com/1npng A business deciding whether or not to use Visio, the necessity of accounts payable approval signatures, supply chain management issues . . . it's all here in a case study of a very high-tech company with a very low-tech control system. (This link will take you to Compliance Week website; if you register for a free 4 week subscription, you can access the article after registering.)
4) http://snipr.com/1npnm What to make of "materiality?" Says the CEO of Financial Executives International, "...companies will no longer view materiality from the perspective of the investor, but from the perspective of an SEC reviewer." Is the PCAOB too overzealous?
5) http://snipr.com/1npno The SEC recently proposed measures designed to modernize some of the control systems at smaller companies. (This site is the Computer Week site discussed above. You will be asked if you wish to signup for a free 4 week subscription. If you agree and register, you will be directed to the described article.)
6) http://www.msnbc.msn.com/id/19158343/ The SEC wants small public companies to embrace SOX. Ask the CFO of a California-based biotech company how she thinks small companies feel about SOX compliance - "... they are panicking."
8) "Case Study - How a Mutual Fund Embraced XBRL," by Melissa Aguilar, from an article in Compliance Week Magazine, February 2007.
In 2006, the SEC asked Old Mutual Capital, a mutual fund company in Denver, Colorado, to participate in its XBRL pilot program. Old Mutual agreed, and engaged consultants Rivet Software, also of Denver, in order to utilive Rivet's "SEC XBRL Package" for developing taxonomies for reporting. Julian Sluyther, president of old Mutual, said the project "wasn't very laborous to do." The business took about three calendar weeks to develop their initial report. IT director Jay Bunger said that the initial report "took a little longer than we would have liked." He indicated that Old Mutual utilized most of the approximately 1500 reporting concept "tags" common to the taxonomy for the investment-management industry. Commented Sluyther "There's a learning curve . . .it's too early to judge the benefits."
9) "The Trusty Old FlowChart Enjoys Revival as an Audit Tool," by Christine Dunn, from an article in Compliance Week Magazine, October 2006
Flowcharts are making a comeback, thanks to Sarbanes-Oxley. SOX specifies that the company explain, and the auditors understand, the controls and processes that the company has implemented. SOX also requires the external auditor to perform a walkthrough of the control process, and the flowchart becomes the roadmap for the auditor to reach the required understanding. "Flowcharts provide a visual representation of the process so that the internal and external auditors can identify control gaps, as well as pinpoint the key control points that need to be tested," says David Richards, president of the Institute of Internal Auditors. Richard Chambers, managing director at PwC, says "Flowcharts also help auditors identify where potential control weaknesses exist and risk may be greater." But not everyone is convinced. Andrew Ng, director of internal audit at software company Magma Design Automation, believes "If you have good control matrices and narratives, then that should be enough to handle SOX requirements." One might ask Mr. Ng - how do you KNOW you have a "good" control matrix WITHOUT a flowchart?
We all need to increase our "business bandwidth" - that is, the nature and volume of business data and information which passes through our consciousness. Toward that end, some of the following website offerings may be of interest to you:
BusinessWeek.com
Forbes.com
Fortune.com
More advanced, and more accounting specific, sites could include:
FindWhitePapers.com
SmartPros.com
CFO.com
The "findwhitepapers" site will allow you to access "white papers" on subjects you select. White papers may be loosely defined as relatively short, topic-specific articles on a particular (searchable) subject, often prepared by a business which is selling goods/services mentioned in the article. Many of the referenced sites will allow you immediate access to the white paper, others may require you to register (that is, provide an email address, to which they send the article). SmartPros is a good site for current information, trends, and happenings in the accounting and business world. And CFO.com is the website for CFO Magazine, a monthly periodical offered free of charge, and containing higher-level, informative articles about accounting and finance.
Finally, subject specific sites of interest might include:
ComplianceWeek.com
FierceFinance.com
FierceSarbox.com
Infoworld.com
Compliance Week Magazine is a high-level periodical, with website, providing detailed and current information regarding corporate governance and Sarbanes-Oxley / PCAOB / public company happenings. Articles are written by individuals with extensive involvement in the subject (one of the frequent contributors is Harvey Pitt, who was Commissioner of the SEC before current Commissioner Christopher Cox; another contributer is Richard Steinberg, former senior partner at PwC and lead project partner in developing the COSO Internal Control - Integrated Framework and COSO's Enterprise Risk Management - Integrated Framework). An annual subscription to Compliance Week is about $1000, but they will allow you to sign up for a 4 Week Trial program, at no charge (IMHO, the price is right!). FierceFinance and FierceSarbox are free sites which will email you, about weekly, articles and current events regarding their specific titles. InfoWorld will email you information regarding IT hardware and software issues.
This wiki page is intended to provide the reader with specific information regarding topics discussed during our current coursework for ACG 5405. Please add articles and websites to the headings indicated below, and add new headings as appropriate.
Topic 1. Enterprise Risk Management (ERM)
1) "The Particulars of Good ERM" from a four-part series by Mr.Richard Steinberg, former partner at PWC, and lead project partner in developing the COSO Enterprise Risk Management - Integrated Framework, the four articles appearing in the January through April 2007 editions of Compliance Week magazine.
Enterprise Risk Management is the "process to identify, assess, and manage risks that could interfere with the achieving of a company's objectives." ERM must fit within the strategic objectives of the company. As such, ERM is enterprise-wide. Senior management and the Board would be tasked with surveying the enterprise and noting high-level risks. Operational managers would be tasked to identify risk situations at the tactical business level. ERM implementation is not without costs - both in time and money. Th author uses an image of driving a car at night, utilizing parking lights, low beams, and high beams as pictures of the inportance of searching out risks that are present and should be identified early enough to not cause serious business consequences.
Mr. Steinberg uses the COSO Model of Risk to briefly discuss ERM application techniques:
1) Internal Environment - management should employ risk-based analysis in order to gain insight into the organization's culture, creating an organizational "heat map" of high risk situations.
2) Objective Setting - the author uses an illustration of a company viewing its "risk appetite" by plotting desired rates of return versus capital at risk in a graphical format.
3) Event Identification - Companies may use tree diagrams, also called "fishbone" diagrams, to identify and pictorally represent uncertainty.
4) Risk Assessment - management will assess risk from several perspectives, including a) the liklihood of the event happening, and b) the business consequences of the risk.
5) Risk Response - After identifying and assessing the risks, management will decide among alternative responses to the risks through some combination of a) acceptance, b) avoidance, c) reducing, and/or d) sharing the risks.
Topic 2. The Fraud Connection
The SEC has repeatedly commented that the potential for override of controls and managerial misrepresentation of financial statement assertions by the senior management of smaller companies is a primary reason that non-accredited filers should be held to similar auditing standards as current accredited filers.
1) http://snipr.com/1npna A study conducted by the Institute of Fraud Prevention has looked at over 800 companies who have filed restated financials, and found that an average of seven people (including CEOs, CFOs, COOs, general counsels, and internal and external auditors) were involved.
2) http://snipr.com/1npnc Another study, performed by KPMG, indicates that fraudsters, while working in collusion, were able to perpetuate their frauds over extended periods of time (months, and even years) before being discovered. So, should we even worry about a disgruntled AP clerk creating a bogus vendor/invoice payment scheme? (This site is Computer Week, discussed above. You will be asked if you wish to signup for a 4 week trial subscription, at no charge; if you agree, you will be directed to the article following your registration.)
3) "10 ways to Minimize Your Risk of Fraud," by John Tonsick, Associate Director, Protiviti Inc. This article came from the protiviti.com website, and was first presented by Mr. Tonsick at an Institute of Internal Auditors Conference on Ethics and Fraud, on Aug 4, 2004
Fraud is big business, costing US businessews more than $600 billion annually, based on estimates from the Association of Certified Fraud Examiners (ACFE). The ACFE also estimates that fradulent schemes committed by management and executives result in losses more than four times greater than losses from schemes conducted by lower level employees. Some of the ways to minimize fraud include
1) expect fraud to have been occuring in your organization
2) segregate duties
3) review and enforce security measures at all levels
4) test, and retest, internal controls
"An anonomous survey [Mr. Tonsick does not indicate a source for this statement] of public company CFOs indicated that two-thirds of them had been pressured to cook the books, and that one-third admitted doing it."
4) "5 Questions to Uncover Project Fraud," by Steven Rollins, published 12-23-04 in the Sarbanes-Oxley Compliance Journal.
The author defines "project fraud" as any fraud conducted by anyone who is part of a project team (virtually any employee of any company sooner, or later, works with other employees on a "project"). But Mr. Rollins' definition is germane in the sense that many frauds are conducted by more than a single individual. The five questions he would ask to identify "project fraud" are
1) Is the business carrying out managerial strategic risk planning ?
2) Are tactical and strategic managers managing their projects effectively?
3) Is poor visability giving a project (and its employees) an opportunity to commit fraud?
4) Is the company's workforce accountable to achieve business goals?
5) Is there a safety net (this concept is neither defined or developed by Mr. Rollins in the article) to protect business assets from project fraud?
Topic 3. SOX
PCAOB / Sarbanes Oxley
1) http://snipr.com/1npne Out with the "2" and in with the "5." The PCAOB has superceeded AS 2, replacing it with "principles-based" AS 5. The revised standard emphasizes the importance of materiality and fraud risk, and attempts to scale the audit to the smaller public companies. (This is the Computer Week site referenced above. You will be asked if you wish to signup for a free 4 week trial subscription; if you agree, you will be directed to the article following your registration.)
Topic 4. Controls and More
1) http://cfo.com/article.cfm/9358291?f=home_featured&x=1 AS2 could not do it . . .can AS5? Creating a workable, understandable, functional definition of "materiality" is not easy. The SEC recently asked "Is the standard of materiality appropriately defined in AS 5?" No, said the influential Committee on Capital Markets Regulation.
2) http://snipr.com/1npng A business deciding whether or not to use Visio, the necessity of accounts payable approval signatures, supply chain management issues . . . it's all here in a case study of a very high-tech company with a very low-tech control system. (This link will take you to Compliance Week website; if you register for a free 4 week subscription, you can access the article after registering.)
3)http://snipr.com/1npnl[[http://www.accountingweb.com/cgi-bin/item.cgi?id=103553&d=883&h=884&f=882&dateformat=%25e-%25h-%25yFor For small public companies, it's SOX showtime! Consultants Lord&Benoit have put together a listing of the types of material weaknesses typically found in small companies. The most likely deficiencies relate to lack of accounting and disclosure controls, revenue recognition issues, and the financial closing process (this would be Chapter 16 in our AIS textbook).
4) http://snipr.com/1npnm What to make of "materiality?" Says the CEO of Financial Executives International, "...companies will no longer view materiality from the perspective of the investor, but from the perspective of an SEC reviewer." Is the PCAOB too overzealous?
5) http://snipr.com/1npno The SEC recently proposed measures designed to modernize some of the control systems at smaller companies. (This site is the Computer Week site discussed above. You will be asked if you wish to signup for a free 4 week subscription. If you agree and register, you will be directed to the described article.)
6) http://www.msnbc.msn.com/id/19158343/ The SEC wants small public companies to embrace SOX. Ask the CFO of a California-based biotech company how she thinks small companies feel about SOX compliance - "... they are panicking."
7) http://accounting.smartpros.com/x57925.xml XBRL International, the FASB for XBRL implementation, now has 22 "jurisdictions" committed to XBRL adoption.
8) "Case Study - How a Mutual Fund Embraced XBRL," by Melissa Aguilar, from an article in Compliance Week Magazine, February 2007.
In 2006, the SEC asked Old Mutual Capital, a mutual fund company in Denver, Colorado, to participate in its XBRL pilot program. Old Mutual agreed, and engaged consultants Rivet Software, also of Denver, in order to utilive Rivet's "SEC XBRL Package" for developing taxonomies for reporting. Julian Sluyther, president of old Mutual, said the project "wasn't very laborous to do." The business took about three calendar weeks to develop their initial report. IT director Jay Bunger said that the initial report "took a little longer than we would have liked." He indicated that Old Mutual utilized most of the approximately 1500 reporting concept "tags" common to the taxonomy for the investment-management industry. Commented Sluyther "There's a learning curve . . .it's too early to judge the benefits."
9) "The Trusty Old FlowChart Enjoys Revival as an Audit Tool," by Christine Dunn, from an article in Compliance Week Magazine, October 2006
Flowcharts are making a comeback, thanks to Sarbanes-Oxley. SOX specifies that the company explain, and the auditors understand, the controls and processes that the company has implemented. SOX also requires the external auditor to perform a walkthrough of the control process, and the flowchart becomes the roadmap for the auditor to reach the required understanding. "Flowcharts provide a visual representation of the process so that the internal and external auditors can identify control gaps, as well as pinpoint the key control points that need to be tested," says David Richards, president of the Institute of Internal Auditors. Richard Chambers, managing director at PwC, says "Flowcharts also help auditors identify where potential control weaknesses exist and risk may be greater." But not everyone is convinced. Andrew Ng, director of internal audit at software company Magma Design Automation, believes "If you have good control matrices and narratives, then that should be enough to handle SOX requirements." One might ask Mr. Ng - how do you KNOW you have a "good" control matrix WITHOUT a flowchart?